azurerm_key_vault deletes network_acls ip_rules

[Joseluismantilla]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.2

AzureRM Provider Version

3.112.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

locals {
  log_category_map = {
    for category in var.diagnostic_log_category_list:
      category => category
  }
  msft_agent_public_ip = join(".", [element(regex("(\\d+.\\d+.\\d+)", trimspace(data.http.msft_agent_public_ip.response_body)), 0), "0/24"])
}
data "http" "msft_agent_public_ip" {
    url = "https://ifconfig.io"
}

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "key_vault" {
  name                        = var.name
  location                    = var.location
  resource_group_name         = var.resource_group_name
  ...

  public_network_access_enabled  = true  

  network_acls {
    default_action               = "Allow"
    bypass                       = "AzureServices"
    ip_rules                     = var.disallow_public_traffic ? [] : concat([local.msft_agent_public_ip, "192.168.1.0/24", "192.168.192.0/20" ])
  }
}

Debug Output/Panic Output

# module.keyvault.data.azurerm_client_config.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_client_config" "current" {
      + client_id       = (known after apply)
      + id              = (known after apply)
      + object_id       = (known after apply)
      + subscription_id = (known after apply)
      + tenant_id       = (known after apply)
    }

  # module.keyvault.data.http.msft_agent_public_ip will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "http" "msft_agent_public_ip" {
      + body                 = (known after apply)
      + id                   = (known after apply)
      + response_body        = (known after apply)
      + response_body_base64 = (known after apply)
      + response_headers     = (known after apply)
      + status_code          = (known after apply)
      + url                  = "https://ifconfig.io"
    }

  # module.keyvault.azurerm_key_vault.key_vault will be updated in-place
  ~ resource "azurerm_key_vault" "key_vault" {
        id                              = "/subscriptions/..../providers/Microsoft.KeyVault/vaults/kv-dfin-eus2-dev-sat-c"
        name                            = "kv-dfin-eus2-dev-sat-c"
        tags                            = {
            "app-name"             = "saturn-core"
            ...
        }
      ~ tenant_id                       = "64ebfaf9-be45-43c2-9e9c-abcdefg234d" -> (known after apply)
        # (12 unchanged attributes hidden)

      ~ network_acls {
          ~ ip_rules                   = [
              - "192.168.1.0/24",
              - "192.168.192.0/20",
          ....
            ] -> (known after apply)
            # (3 unchanged attributes hidden)
        }
    }

{"id":"/subscriptions/830ee61f-f704-422a-bb16-0c6a60221791/resourceGroups/rg-eus2-dev-saturn-core/providers/Microsoft.KeyVault/vaults/kv-dfin-eus2-dev-sat-c","name":"kv-dfin-eus2-dev-sat-c","type":"Microsoft.KeyVault/vaults","location":"eastus2","tags":{"app-name":"saturn-core","cost-center":"81083514US-Venue","data-classification":"restricted","deployment-date":"07-24-2023","end-of-life":"permanent","environment":"development","location":"eastus2","product-name":"saturn","product-owner":"jay.x.patel@dfinsolutions.com","region":"East US 2","workload-infra-owner":"david.puig@dfinsolutions.com","workload-owner":"david.puig@dfinsolutions.com"},"systemData":{"createdBy":"d8ead93e-fa4e-451a-b2c3-2cb10a6609a8","createdByType":"Application","createdAt":"2023-05-02T20:24:56.579Z","lastModifiedBy":"rr615973-dev@dfin365.onmicrosoft.com","lastModifiedByType":"User","lastModifiedAt":"2024-07-18T14:40:10.156Z"},"properties":{"sku":{"family":"A","name":"premium"},"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","networkAcls":{"bypass":"AzureServices","defaultAction":"Allow","ipRules":[{"value":"185.46.212.0/22"},{"value":"104.129.192.0/20"},{"value":"165.225.0.0/17"},{"value":"165.225.192.0/18"},{"value":"147.161.128.0/17"},{"value":"136.226.0.0/16"},{"value":"137.83.128.0/18"},{"value":"162.27.66.130/32"},{"value":"162.27.66.76/32"},{"value":"72.21.46.236/32"},{"value":"72.21.45.197/32"},{"value":"20.12.97.0/24"},{"value":"52.184.202.0/24"}],"virtualNetworkRules":[]},"accessPolicies":[{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"fcef2658-6f8d-4bfe-8221-e2de5d78eafa","permissions":{"keys":["Get","List","Backup"],"secrets":["Get","List","Backup"],"certificates":[],"storage":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"f40a4cc0-b49f-4d2b-835f-4660edcadac5","permissions":{"keys":["Get","List","Create","Encrypt","Decrypt"],"secrets":["Get","List","Set","Backup","Delete","Purge","Restore","Recover"],"certificates":["Get","List","Create","Delete","Import","Purge","Recover","Recover","Restore","Backup"],"storage":["Get","List"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"54b5f17b-e022-42b9-88d3-1c0ec20813e2","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"82288ec7-f5fb-418c-a2fa-c9a8ea0f42c4","permissions":{"keys":[],"secrets":["Get","List","Set","Delete","Recover","Backup","Restore"],"certificates":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"c552ea3f-82a8-4e30-a7b6-0a08143b2e04","permissions":{"keys":["Get","List","Update","Create","Import","Delete","Recover","Backup","Restore","GetRotationPolicy","SetRotationPolicy","Rotate"],"secrets":["Get","List","Set","Delete","Recover","Backup","Restore"],"certificates":["Get","List","Update","Create","Import","Delete","Recover","Backup","Restore","ManageContacts","ManageIssuers","GetIssuers","ListIssuers","SetIssuers","DeleteIssuers"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"05f54b98-b969-4232-a139-045350f70085","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"41faa816-2d96-41a2-80bb-dffefc6aee68","permissions":{"keys":["Get"],"secrets":["Get","List","Set"],"certificates":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"a6887691-3c8c-40e0-9d17-1085a0e295cc","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"9b0e9728-45a5-4758-a254-050eef8f5879","permissions":{"keys":["List","Get","Update","Create","Delete"],"secrets":["Get","List","Set","Delete"],"certificates":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"0f6c17d7-11c4-4c55-844d-269d18aed5b5","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"af867ee8-1466-4cc8-aa9d-3a1bfcf3e0ab","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"74826071-efab-4a2e-bbbd-5dbe102c5748","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"b9daa933-02bf-474f-a73c-c86623668ec2","permissions":{"keys":[],"secrets":["Get","List"],"certificates":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"9f85cd99-3a47-4974-8b8b-c37daf0c8ca2","permissions":{"keys":[],"secrets":["Get","List"],"certificates":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"f715c3f3-f31d-4b33-8e76-675941b152bb","permissions":{"certificates":[],"keys":["Get","List","Update","Create","Import","Delete","Recover","Backup","Restore","GetRotationPolicy","SetRotationPolicy","Rotate"],"secrets":["Get","List","Set","Delete","Recover","Backup","Restore"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"1eb72711-b1ba-47b5-9f2f-cbca47b34040","permissions":{"certificates":["Get"],"keys":["Get"],"secrets":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"02528324-28eb-4dc7-a8e3-48efde35195f","permissions":{"certificates":[],"keys":["List","Get","Create","Update"],"secrets":["Get","Set","List"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"1f6e63fa-2d2c-4e6d-a975-254bfce849f2","permissions":{"certificates":["Get"],"keys":["Get"],"secrets":["Get"],"storage":["Get"]}}],"enabledForDeployment":true,"enabledForDiskEncryption":true,"enabledForTemplateDeployment":true,"enableSoftDelete":true,"softDeleteRetentionInDays":7,"enableRbacAuthorization":false,"vaultUri":"https://kv-dfin-eus2-dev-sat-c.vault.azure.net/","provisioningState":"Succeeded","publicNetworkAccess":"Enabled"}}: timestamp=2024-07-18T15:03:13.217-0500
2024-07-18T15:03:13.845-0500 [DEBUG] provider.terraform-provider-azurerm_v3.112.0_x5: POST https://login.microsoftonline.com/64ebfaf9-be45-43c2-9e9c-fcb060bf234d/oauth2/v2.0/token: timestamp=2024-07-18T15:03:13.845-0500
2024-07-18T15:03:13.990-0500 [DEBUG] provider.terraform-provider-azurerm_v3.112.0_x5: AzureRM Request: 
GET /certificates/contacts?api-version=7.4 HTTP/1.1
Host: kv-dfin-eus2-dev-sat-c.vault.azure.net
User-Agent: Go/go1.21.6 (amd64-linux) go-autorest/v14.2.1 tombuildsstuff/kermit/v0.20240122.1123108 keyvault/7.4 HashiCorp Terraform/1.9.2 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.112.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
X-Ms-Correlation-Request-Id: 72eb4095-d39b-4a4a-483d-d82b785480c9
Accept-Encoding: gzip: timestamp=2024-07-18T15:03:13.989-0500
2024-07-18T15:03:14.368-0500 [DEBUG] provider.terraform-provider-azurerm_v3.112.0_x5: AzureRM Response for https://kv-dfin-eus2-dev-sat-c.vault.azure.net/certificates/contacts?api-version=7.4: 
HTTP/1.1 403 Forbidden
Content-Length: 478
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Thu, 18 Jul 2024 20:03:14 GMT
Expires: -1
Pragma: no-cache
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Keyvault-Network-Info: conn_type=Ipv4;addr=181.55.22.68;act_addr_fam=InterNetwork;
X-Ms-Keyvault-Region: eastus2
X-Ms-Keyvault-Service-Version: 1.9.1625.1
X-Ms-Request-Id: 5c73115a-0fa0-461c-aab8-cf33258f931a

{"error":{"code":"Forbidden","message":"The user, group or application 'appid=d8ead93e-fa4e-451a-b2c3-2cb10a6609a8;oid=f40a4cc0-b49f-4d2b-835f-4660edcadac5;numgroups=0;iss=https://sts.windows.net/64ebfaf9-be45-43c2-9e9c-fcb060bf234d/' does not have certificates managecontacts permission on key vault 'kv-dfin-eus2-dev-sat-c;location=eastus2'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287","innererror":{"code":"ForbiddenByPolicy"}}}: timestamp=2024-07-18T15:03:14.367-0500
2024-07-18T15:03:14.381-0500 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for module.keyvault.azurerm_key_vault.key_vault, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .enable_rbac_authorization: planned value cty.False for a non-computed attribute
      - .network_acls[0].ip_rules: planned value cty.UnknownVal(cty.Set(cty.String)) does not match config value cty.SetVal([]cty.Value{cty.StringVal("192.168.1.0/24"), cty.StringVal("192.168.192.0/20"), **cty.UnknownVal(cty.String).RefineNotNull()}) nor prior value** cty.SetVal([]cty.Value{cty.StringVal("104.129.192.0/20")})
      - .network_acls[0].virtual_network_subnet_ids: planned value cty.SetValEmpty(cty.String) for a non-computed attribute

{"id":"/subscriptions/830ee61f-f704-422a-bb16-0c6a60221791/resourceGroups/rg-eus2-dev-saturn-core/providers/Microsoft.KeyVault/vaults/kv-dfin-eus2-dev-sat-c","name":"kv-dfin-eus2-dev-sat-c","type":"Microsoft.KeyVault/vaults","location":"eastus2","tags":{"app-name":"saturn-core","cost-center":"81083514US-Venue","data-classification":"restricted","deployment-date":"07-24-2023","end-of-life":"permanent","environment":"development","location":"eastus2","product-name":"saturn","product-owner":"jay.x.patel@dfinsolutions.com","region":"East US 2","workload-infra-owner":"david.puig@dfinsolutions.com","workload-owner":"david.puig@dfinsolutions.com"},"systemData":{"createdBy":"d8ead93e-fa4e-451a-b2c3-2cb10a6609a8","createdByType":"Application","createdAt":"2023-05-02T20:24:56.579Z","lastModifiedBy":"rr615973-dev@dfin365.onmicrosoft.com","lastModifiedByType":"User","lastModifiedAt":"2024-07-18T14:40:10.156Z"},"properties":{"sku":{"family":"A","name":"premium"},"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","networkAcls":{"bypass":"AzureServices","defaultAction":"Allow","ipRules":[{"value":"185.46.212.0/22"},{"value":"104.129.192.0/20"},{"value":"165.225.0.0/17"},{"value":"165.225.192.0/18"},{"value":"147.161.128.0/17"},{"value":"136.226.0.0/16"},{"value":"137.83.128.0/18"},{"value":"162.27.66.130/32"},{"value":"162.27.66.76/32"},{"value":"72.21.46.236/32"},{"value":"72.21.45.197/32"},{"value":"20.12.97.0/24"},{"value":"52.184.202.0/24"}],"virtualNetworkRules":[]},"accessPolicies":[{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"fcef2658-6f8d-4bfe-8221-e2de5d78eafa","permissions":{"keys":["Get","List","Backup"],"secrets":["Get","List","Backup"],"certificates":[],"storage":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"f40a4cc0-b49f-4d2b-835f-4660edcadac5","permissions":{"keys":["Get","List","Create","Encrypt","Decrypt"],"secrets":["Get","List","Set","Backup","Delete","Purge","Restore","Recover"],"certificates":["Get","List","Create","Delete","Import","Purge","Recover","Recover","Restore","Backup"],"storage":["Get","List"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"54b5f17b-e022-42b9-88d3-1c0ec20813e2","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"82288ec7-f5fb-418c-a2fa-c9a8ea0f42c4","permissions":{"keys":[],"secrets":["Get","List","Set","Delete","Recover","Backup","Restore"],"certificates":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"c552ea3f-82a8-4e30-a7b6-0a08143b2e04","permissions":{"keys":["Get","List","Update","Create","Import","Delete","Recover","Backup","Restore","GetRotationPolicy","SetRotationPolicy","Rotate"],"secrets":["Get","List","Set","Delete","Recover","Backup","Restore"],"certificates":["Get","List","Update","Create","Import","Delete","Recover","Backup","Restore","ManageContacts","ManageIssuers","GetIssuers","ListIssuers","SetIssuers","DeleteIssuers"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"05f54b98-b969-4232-a139-045350f70085","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"41faa816-2d96-41a2-80bb-dffefc6aee68","permissions":{"keys":["Get"],"secrets":["Get","List","Set"],"certificates":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"a6887691-3c8c-40e0-9d17-1085a0e295cc","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"9b0e9728-45a5-4758-a254-050eef8f5879","permissions":{"keys":["List","Get","Update","Create","Delete"],"secrets":["Get","List","Set","Delete"],"certificates":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"0f6c17d7-11c4-4c55-844d-269d18aed5b5","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"af867ee8-1466-4cc8-aa9d-3a1bfcf3e0ab","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"74826071-efab-4a2e-bbbd-5dbe102c5748","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"b9daa933-02bf-474f-a73c-c86623668ec2","permissions":{"keys":[],"secrets":["Get","List"],"certificates":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"9f85cd99-3a47-4974-8b8b-c37daf0c8ca2","permissions":{"keys":[],"secrets":["Get","List"],"certificates":[]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"f715c3f3-f31d-4b33-8e76-675941b152bb","permissions":{"certificates":[],"keys":["Get","List","Update","Create","Import","Delete","Recover","Backup","Restore","GetRotationPolicy","SetRotationPolicy","Rotate"],"secrets":["Get","List","Set","Delete","Recover","Backup","Restore"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"1eb72711-b1ba-47b5-9f2f-cbca47b34040","permissions":{"certificates":["Get"],"keys":["Get"],"secrets":["Get"],"storage":["Get"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"02528324-28eb-4dc7-a8e3-48efde35195f","permissions":{"certificates":[],"keys":["List","Get","Create","Update"],"secrets":["Get","Set","List"]}},{"tenantId":"64ebfaf9-be45-43c2-9e9c-fcb060bf234d","objectId":"1f6e63fa-2d2c-4e6d-a975-254bfce849f2","permissions":{"certificates":["Get"],"keys":["Get"],"secrets":["Get"],"storage":["Get"]}}],"enabledForDeployment":true,"enabledForDiskEncryption":true,"enabledForTemplateDeployment":true,"enableSoftDelete":true,"softDeleteRetentionInDays":7,"enableRbacAuthorization":false,"vaultUri":"https://kv-dfin-eus2-dev-sat-c.vault.azure.net/","provisioningState":"Succeeded","publicNetworkAccess":"Enabled"}}: timestamp=2024-07-18T15:03:14.829-0500
2024-07-18T15:03:14.833-0500 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for module.keyvault.azurerm_key_vault_access_policy.key_vault_access_policy[0], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .application_id: planned value cty.StringVal("") for a non-computed attribute

Expected Behaviour

The output must add my public ip to the list, not to remove all the ip rules even when the local ip can't be calculated because of the concat function, additionally, the same line works with the storage account in the network_rules where this only adds the public ip.

Actual Behaviour

I wanted to add the local ip by adding...

ip_rules = var.disallow_public_traffic ? [] : concat(var.custom_ip_rules, [local.msft_agent_public_ip, "185.46.212.0/22", "104.129.192.0/20"... ])

This change deletes all the current ip rules:

Steps to Reproduce

terraform plan with previous ip rules added in the azure key vault

Important Factoids

No response

References

No response

[wuxu92]

Hi @Joseluismantilla , I believe this is a Terraform by-design behavior rather than a provider issue. If you believe it needs to be fixed, please file an issue in Terraform Core: https://github.com/hashicorp/terraform/issues